distributed detection of cyber attacks against …2015/12/11 · distributed detection of cyber...
TRANSCRIPT
Distributed Detection of Cyber Attacks
against Power Grids
Hideaki IshiiDept. Computational Intelligence and Systems Science
Tokyo Institute of Technology
Workshop on Distributed Energy Management System
Waseda Univeristy
December 11th 2015 1
Acknowledgement
Yacine Chakhchoukh (Tokyo Tech)
Yasunori Isozaki (Tokyo Tech)
Takashi Onoda (CRIEPI (Central Research Institute of Electric Power Industry), Japan)
Isao Ono (Tokyo Tech)
Yasuhiro Hayashi, Shinya Yoshizawa, and Yu Fujimoto (Waseda Univ.)
EMS-CREST Project (Program Head: Masayuki Fujita)
Japan Science and Technology Agency
2
4
Future Power Systems with More ICT
More complex due to renewable generation sources and competitive
electricity markets
Real-time diagnostic and monitoring for stable operation and lowering cost
Development of new energy management systems with ICT is necessary.
SCADA Systems
Supervisory Control & Data Acquisition (SCADA)
To monitor/control, networks connect operator terminals and control devices.
Physically operates the devices, and thus safety and security are critical.
Conventional Systems: Connection via isolated networks
Future Systems: Use general ICT techniques, Connection to business networks
Cyber security related issues
5
Database for
Monitor Data
Web Server
Control Devices
BusinessNetwork
Control Network
Terminal
Internet
Terminal Sensors, Switches, Actuators, etc.
Importance of “Defense in Depth”
Firewalls
Virus Detection
Authentication
Encryption
Intrusion Detection
Monitor networks and detect malicious communication due to faults/attacks
Cyber Security Measures
6
Mail Server
BusinessNetworkInternet
Intrusion Detection in SCADA
ICT Systems for Business
Known types of attacks: Apply established methods
SCADA Systems
Known types and illegal communication:
With sufficient data, detection may be possible
However, if the communication is legal, but is intended to control devices,
reliability and safety can be affected.
7
Conventional ICT-based detections are not enough!
Research Objective
Goal: To Detect Coordinated Attacks against SCADA Systems
We must prevent malicious manipulation of control devices.
What control information is useful for intrusion detection?
Model-Based Distributed Approach
Construct models of the system under normal condition
Detect when the system condition becomes abnormal
8
Integration of Detection Info
Comm. Network: Probabilistic model based
Power Grid: Dynamical model based
In This Talk
9US Dept. of Energy
Cyber security in power systems
Objective of this research
Transmission systems: Attacks against state estimation
Distribution systems: Attacks against voltage regulation
IEEE 14 bus system
State Estimation in the Power Grid
11
Important for contingency analysis, load forecasting, control, and
evaluating locational marginal pricing for power markets
Evaluate bus voltage magnitudes and phase angles using measurements
of power injection and power flows
Estimate the state (voltage magnitude and phase angles) from the
measurements (active/reactive power, power flows)
: Nonlinear function
: Gaussian noise with
Estimated state via weighted least squares (WLS) after linearization:
: Jacobian matrix of
AC State Estimation
12A. Abur and A. Gomez-Exposito (2004)
State Estimation: Linearized Method
Linearized model with after scaling:
LS estimator:
Residual vector:
Bad data detection: To find outliers, it is common to analyze the
residual of WLS:
1. Chi-square test: Check if
Bad data present!
2. Largest normalized residual test: Check if
Remove and redo estimation13
False Data Injection Attacks Consider an attack as
= true measurement + false data
Then, the estimated state becomes
But the residue remains the same:
Stealthy attack: State is manipulated by c, but residual is unchanged.
Residual analysis in bad data detection is not effective.
14
Y. Liu, P. Ning, and M.K. Reiter (2009), A. Teixeira, H. Sandberg, K.H. Johansson (2010)
L. Xie, Y. Mo, and B. Sinopoli (2010), …
Attacks on the Measurement Function
We consider attacks on the Jacobian matrix:
(called leverage points)
by modifying network topology estimates at SCADA, or
by changing line parameter values
Our approach is based on
Robust estimation methods
Decomposition of the grid
15J. Kim and L. Tong (2013), Y. Chakhchoukh and H. Ishii (IEEE Trans Power Syst, 2015)
Robustness against Outliers
If some measurements don’t follow theoretical assumptions, estimation
performance can degrade severely.
Robustness must be enhanced against outliers.
Outliers in matrix H can result in biased WLS estimates.
Not detectable from the residuals
16
xx
x
xx xx
xxx
xx x
True
LS estimator
Leverage point
xxx
xVertical outlier
Robust Statistics Methods
Least trimmed squares (LTS)
Minimizes the squared residuals by ignoring an α-portion as
where and
Least median of squares (LMS)
Minimizes sample median of the squared residuals
How robust are they in power systems?
17
R.A. Maronna, R.D. Martin, and V.J. Yohai (2006)
Y Wng, R. Negi, Q. Liu, and M. Ilic (2011)
Breakdown Points (BDPs) of Estimators
Maximum ratio of # outliers over # measurements tolerable for estimation
Determined by the minimum # measurements that, if removed, leaves one
remaining measurement critical.
BDP of LS = 0
BDP of LTS and LMS , Asymptotically goes to 0.5
Attack scenario 1 (Masked attack)
Attacker modifies entries more than the BDP ⇒ Estimate is affected
Difficult to detect from the residuals
18
Decomposition of the Grid
Power systems are very sparse: BDPs are small for large systems.
Our approach: Decompose the grid into islands/subsystems
IEEE 14 bus system: Decomposed into 8 islands (7 cyclic and 1 radial):
19L. Mili, M.G. Cheniae, and P.J. Rousseeuw (1994)
Scenarios for Stealthy Attacks
Theorem: If the attack satisfies , then
, that is, . (Scenario 2: Stealthy attack)
Example: Take as
(i) the ith column is a scalar multiple of that of :
(ii) the rest are zero.
Then, the estimated state is
This attack requires modifying all nonzero entries of .
Power systems are sparse, so this type of attacks can be done locally.
20
Different Scenarios against LTSProposition:
If more than ( x BDP) entries of are modified
State estimate is affected. (Scenario 1: Masked attack)
If more than ( x (1-BDP)) entries of are used
(Scenario 2: Stealthy attack)
21
Dangerlevel
# of attacks
High
Low
Scenario 1
Scenario 2
Good data will be treated as bad and thus ignored!
IEEE 14 bus system with 123 measurements
Two methods: (i) Least trimmed squares (LTS) with decomposition
BDPs at 0.1/0.25 for each island
(ii) Residual analysis (RA): Common in practice
22
Simulation Results
23
(1) Random Attacks on H
Random changes in matrix H (8 entries) and measurement z (1 entry)
LTS is robust, but RA is very vulnerable.
The measurement function is altered as
Even LTS is vulnerable against such coordinated attacks.
24
(2) Stealthy Attacks on Phase Angle at Bus 2
Error appears only here
Attacker has access to island 1 only.
21 measurements
(9 active power flows/injections)
LTS with BDP = 0.25 ⇔ Up to 2 attacks
25
(2) Stealthy Attacks on Phase Angle at Bus 2
# of attacks 2 4 8 17
LTS -6.38 (0.7) -3.01 (2.49) -1.33 (0.10) -1.25 (0.09)
RA -1.92 (1.14) -4.03 (2.07) -1.25 (0.29) -1.10 (0.16)
Scenario 2: States are controlled> 9-2 = 7 attacks
Scenario 1: Estimates are unreliable> 2 attacks
Estimate of phase angle of bus 2: Average and standard deviation of 100 runs
Discussion
Stealthy attacks in H are challenging
Potential solutions
Increase # of measurements and make them secure
Use multiple estimators with different BDPs
Look at data variations in time
Dynamical approach for distributed detection of attacks
H. Nishino & H. Ishii (2014)
26
Y. Chakhchoukh and H. Ishii (IEEE Trans Power Syst, 2016)
Substation
Distribution Systems: Voltage RegulationFuture
Substations regulate voltage to keep it within admissible range at consumers.
PVs can cause inverse currents, resulting in complex voltage profiles.
A. Teixeira, G. Dan, H. Sandberg, R. Berthier, R. Bobba, and A. Valdes (2014)Y. Isozaki, S. Yoshizawa, Y. Fujimoto, H. Ishii, I. Ono, T. Onoda, and Y. Hayashi
(IEEE Trans Smart Grid, 2015)
*LRT=Transformer
Substation
Simple (Decreasing) Complex
Voltageprofile
Current
Centralized Voltage Regulation
One solution: Centralized control using measurements from switches
More sensors can enhance control, but cyber security issues can arise.
Elkhatib, El-Shatshat, & Salama (2011), Yoshizawa, Hayashi, Tsuji, & Kamiya (2012)
False data injection
Model of the Distribution System
30
Small-scale residential area in Japan
High voltage loads: Nodes 3, 5, 8, 9, 11, 13, 14
Low voltage loads: 435 houses in total
Assumed each house with PV generation Low voltage load
Power generated at PVs
Voltage Profiles under Normal Conditions
31
Without PVs With PVs
Upper limit
Lower limit
Output of LRT
The tap at LRT is switched as loads become higher: Morning & Evening
In the presence of PVs, voltage becomes high during the day time
Profiles in the evening/night are similar.
Algorithm to Detect Sensor Value Falsification
32
Without PVs
1. Voltage in theadmissible range
2. Order among nodes
– Smaller in downstream – Void when PVs are active
3. Change rates4. Lower bound on differences
The simple algorithm can detect attacks on one or two nodes.
However, attacks are still possible.
Example (Without PV): Attacks at Five Nodes
33
No tap change1. To cancel upward tap change
2. To avoid detection
Sensor values: Normal Actual values: Undervoltage
Sensor values: Normal Actual values: Undervoltage
2. To induce downward tap change
3. To avoid detection1. To cancel upward
tap change
34
Attacks at 1-2 nodes can be all detected by the algorithm.
With 3 or more attacks, tap changes can be suppressed.
Compared to no PV case: More complicated, but similar damages
Example (With PVs): Attacks at five nodes
False tap change
Effectiveness of the Algorithm
35
The a
mount
of
Voltag
e V
iola
tion (V・s)
# of attacked nodes
Attacks on one or two nodes can be prevented.
No difference between with/without PVs
Discussion
36
Simple algorithm for attack detection can be useful.
Steps can be added to enhance detection.
Further research:
Study the case with PV output regulation
To induce tap changes upwards
PVs reduce outputs!
Conclusion
Distributed detection of cyber attacks in power systems EMS
System theoretic approaches based on models
Transmission Systems: Robust state estimation
Distribution Systems: Centralized voltage control
New area of research with a lot of potential collaborations
Networked control in a broad sense, with specific control applications
37
References
Y. Chakhchoukh and H. Ishii, Coordinated cyber-attacks on the measurement
function in hybrid state estimation, IEEE Trans. on Power Systems, 2015.
Y. Chakhchoukh and H. Ishii, Enhancing robustness to cyber-attacks through
multiple least trimmed squares in power state estimation, IEEE Trans. on
Power Systems, to appear, 2016.
Y. Isozaki, S. Yoshizawa, Y. Fujimoto, H. Ishii, I. Ono, T. Onoda, and Y. Hayashi,
Detection of cyber attacks against voltage control in distribution power grids,
IEEE Trans. Smart Grid, to appear, 2015.
H. Nishino and H. Ishii, Distributed detection of cyber attacks and faults for
power systems, Proc. 19th IFAC World Congress, 2014.
38